diff -r b61e849fe451 -r 9ae2b79d3bb1 mozilla-flex_buffer_overrun.patch --- a/mozilla-flex_buffer_overrun.patch Wed Jan 18 22:06:23 2017 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,76 +0,0 @@ -# HG changeset patch -# Parent c8e8364b303892fdb5a574b96411d2d8f699a15e -Patch lexical parser files generated by flex which may be potentially -exploitable in a buffer overrun. These seem to come from an upstream projects -(CMU Sphinx and ANGLE) so it should be fixed there in the first place. - -CVE-2016-6354 - -https://bugzilla.suse.com/show_bug.cgi?id=990856 - -diff --git a/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp b/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp ---- a/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp -+++ b/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp -@@ -1375,17 +1375,17 @@ static int yy_get_next_buffer (yyscan_t - if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) - /* don't do the read, it's not guaranteed to return an EOF, - * just force an EOF - */ - YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0; - - else - { -- yy_size_t num_to_read = -+ int num_to_read = - YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; - - while ( num_to_read <= 0 ) - { /* Not enough room in the buffer - grow it. */ - - /* just a shorter name for the current buffer */ - YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE; - -diff --git a/gfx/angle/src/compiler/translator/glslang_lex.cpp b/gfx/angle/src/compiler/translator/glslang_lex.cpp ---- a/gfx/angle/src/compiler/translator/glslang_lex.cpp -+++ b/gfx/angle/src/compiler/translator/glslang_lex.cpp -@@ -2269,17 +2269,17 @@ static int yy_get_next_buffer (yyscan_t - if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) - /* don't do the read, it's not guaranteed to return an EOF, - * just force an EOF - */ - YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0; - - else - { -- yy_size_t num_to_read = -+ int num_to_read = - YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; - - while ( num_to_read <= 0 ) - { /* Not enough room in the buffer - grow it. */ - - /* just a shorter name for the current buffer */ - YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE; - -diff --git a/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c b/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c ---- a/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c -+++ b/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c -@@ -1242,17 +1242,17 @@ static int yy_get_next_buffer (yyscan_t - if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) - /* don't do the read, it's not guaranteed to return an EOF, - * just force an EOF - */ - YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0; - - else - { -- yy_size_t num_to_read = -+ int num_to_read = - YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; - - while ( num_to_read <= 0 ) - { /* Not enough room in the buffer - grow it. */ - - /* just a shorter name for the current buffer */ - YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE; -